Joshua Lock

I think the ideal place for quick start documentation for a library like python-tuf is the developer documentation on RTD.

I'm not sure if it's deserving of a separate label, but we should make it clear that the result of every discussion should be documented. Whether a decision record, contributor...

I don't think we should ship papers as part of the packaging, even if they live in this repo. We have an issue to clean up what we include in...

> I understand that that does not cover all the bases this PR does (as explained in previous comment)... but their approach seems more approachable and easier to integrate. python-tuf...

> > ``` > > 1. Is there a plan to completely remove `keyid_hash_algorithms` in the course of the TAP 12 implementation? If not, we need to create a separate...

https://github.com/slsa-framework/slsa-jenkins-generator has been donated to the OpenSSF by Samsung and moved into the salsa-framework organisation. I think we are good to close this issue?

I've filed https://github.com/in-toto/attestation/issues/114 against the in-toto/attestation repo to discuss the idea of including an `evidence` field in the statement.

I agree, this feels like something we should resolve prior to 1.0.

I'm not familiar with the state of fuzzing in Go, but it might also be necessary to port the fuzzing logic to the API of the native fuzzer.

This is brilliant work, thanks for taking the time to think this through and document it. I completely agree with your statements with the additional constraint in https://github.com/theupdateframework/python-tuf/issues/2014#issuecomment-1335276083 that "any...